+2009-11-23 Corinna Vinschen <corinna@vinschen.de>
+
+ Use NetBSD fix for CVE-2009-0689 security vulnerability.
+ * libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
+ size_t, as in latest NetBSD.
+ * libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
+ value 15.
+ * libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why.
+
2009-11-20 Nick Clifton <nickc@redhat.com>
* libc/machine/rx/strncat.S (_strncat): Replace use of r6
#endif /* !_REENT_SMALL */
+/* This value is used in stdlib/misc.c. reent/reent.c has to know it
+ as well to make sure the freelist is correctly free'd. Therefore
+ we define it here, rather than in stdlib/misc.c, as before. */
+#define _Kmax (sizeof (size_t) << 3)
+
/*
* All references to struct _reent are via this pointer.
* Internally, newlib routines that need to reference it should use _REENT.
if (_REENT_MP_FREELIST(ptr))
{
int i;
- for (i = 0; i < 15 /* _Kmax */; i++)
+ for (i = 0; i < _Kmax; i++)
{
struct _Bigint *thisone, *nextone;
#include <reent.h>
#include "mprec.h"
-/* reent.c knows this value */
+/* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD.
+ The old value of 15 was wrong and made newlib vulnerable against buffer
+ overrun attacks (CVE-2009-0689), same as other implementations of gdtoa
+ based on BSD code.
#define _Kmax 15
+*/
_Bigint *
_DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k)